1 / 32

WS-SecureConversation

WS-SecureConversation. Xiuduan Fang. Agenda. Introduction Security Context Token Establishing Security Context Deriving Keys SecureCoversation in Action Conclusion References. Introduction to WS-SecureConversation. Why introduce WS-SecureConversation?.

gmueller
Download Presentation

WS-SecureConversation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WS-SecureConversation Xiuduan Fang

  2. Agenda • Introduction • Security Context Token • Establishing Security Context • Deriving Keys • SecureCoversation in Action • Conclusion • References

  3. Introduction to WS-SecureConversation • Why introduce WS-SecureConversation? • Consider the functions of WS-Security • message integrity • message confidentiality • single message authentication

  4. Introduction to WS-SecureConversation • What if senders and receivers need to exchange multiple messages?

  5. Introduction to WS-SecureConversation • A Feasible Solution • Encrypt all messages with a security token issued by a token issuing service. • Drawback: the size of each message can become a performance bottleneck.

  6. Introduction to WS-SecureConversation • A Better Solution • WS-SecureConvsation • Similar to SSL • Introduce a security context • A SecurityContextToken is applied. Once created, the messages are smaller and can be processed faster by both ends.

  7. Introduction to WS-SecureConversation • Goals • Define how security contexts are established • Specify how derived keys are computed and passed • Non-Goals • Define how trust is established or determined—that is done by WS-Trust

  8. Introduction • Introduction • Security Context Token • Establishing Security Context • Deriving Keys • SecureConversation in Action • Conclusion • References

  9. Security Context Token <SecurityContextToken> describes a security context.

  10. Syntax of Security Context Token <wsse:SecurityContextToken wsu:Id="..."> <wsu:Identifier>...</wsu:Identifier> <wsu:Created>...</wsu:Created> <wsu:Expires>...</wsu:Expires> <wsse:Keys> <xenc:EncryptedKey Id=“…”>… </xenc:EncryptedKey> <wsse:SecurityTokenReference>... </wsse:SecurityTokenReference> ... </wsse:Keys> </wsse:SecurityContextToken>

  11. Security Context Token Example <wsse:SecurityContextToken wsu:Id="SecurityToken- f3dfe69f-4bd6-41f9-b198-bb6247d14780"><wsu:Identifier>uuid:f1971e12-f402-433d-bf7d- 29c78a0a81eb </wsu:Identifier> <wsu:Created>2003-07-08T02:52:55Z</wsu:Created><wsu:Expires>2003-07-08T06:52:55Z</wsu:Expires> </wsse:SecurityContextToken>

  12. Agenda • Introduction • Security Context Token • Establishing Security Context • Deriving Keys • SecureCoversation in Action • Conclusion • References

  13. Establishing Security Context • A security context needs to be created and shared by the communicating parties before being used. • How? • created by a security token service (STS) • created by one of the communicating parties and propagated with a message • created through negotiation

  14. Way 1: Created by STS

  15. <RequestSecurityToken> Example <S:Body wsu:Id="req"> <RequestSecurityToken> <TokenType>wsse:SecurityContextToken</TokenType> <RequestType>wsse:ReqIssue</RequestType> </RequestSecurityToken> </S:Body>

  16. <RequestSecurityTokenResponse> Example <S:Body> <RequestSecurityTokenResponse> <RequestedSecurityToken> <wsse:SecurityContextToken> <wsu:Identifier>uuid:...</wsu:Identifier> </wsse:SecurityContextToken> </RequestedSecurityToken> <RequestedProofToken> <xenc:EncryptedKey Id="newProof"> ... </xenc:EncryptedKey> </RequestedProofToken> </RequestSecurityTokenResponse> </S:Body>

  17. Way 2: Created by One of The Communicating Parties • Process • The initiator creates a security context token and sends it to the other parties in a message • The recipient can then choose whether or not to accept the security context token • Application • This model works when the sender is trusted to always create a new security context token.

  18. Way 3: Created through Negotiation • Process • The initiating party sends a <RequestSecurityToken> request to the other party • A <RequestSecurityTokenResponse> is returned. • Repeat the above 2 steps until a final response containing a <SecurityTokenReference> and a <ProofTokenReference> is received. • Application • There is a need to negotiate among the participants on the contents of the security context token, such as the shared secret

  19. Agenda • Introduction • Security Context Token • Establishing Security Context • Deriving Keys • SecureCoversation in Action • Conclusion • References

  20. Deriving Keys • Once the context and secret have been established (authenticated), Derived Keys Mechanism can be used to compute derived keys for each key usage in the secure context. • Example • Four keys may be derived so that two parties can sign and encrypt using separate keys.

  21. Deriving Keys • Algorithms • Using a common secret, parties may define different key derivations to use • Default: P_SHA-1 function (referred to as wsse:PSHA1) P_SHA1 (secret, label + seed)

  22. Deriving Keys • The <DerivedKeyToken> element is used to indicate that the key for a specific security token is generated from the function of P_SHA-1.  • Example <DerivedKeyToken> <SecurityTokenReference> <Reference URI=".../ctx1"/> </SecurityTokenReference> <Generation>2</Generation> </DerivedKeyToken>

  23. Subsequent Derivation Example <DerivedKeyToken> <Properties> <Name>.../derivedKeySource</Name> <Label>NewLabel</Label> <Nonce>FHFE...</Nonce> </Properties> <Generation>3</Generation> </DerivedKeyToken> <DerivedKeyToken wsu:Id="newKey"> <SecurityTokenReference> <Reference URI=".../derivedKeySource"/> </SecurityTokenReference> <Generation>0</Generation> </DerivedKeyToken>

  24. Agenda • Introduction • Security Context Token • Establishing Security Context • Deriving Keys • SecureCoversation in Action • Conclusion • References

  25. SecureConversation In Action • Web Service Enhancements (WSE) 2.0 for .NET 2.0 improves the implementation of secure conversations in Web services architecture. • Demonstration

  26. Predefined Security Tokens in WSE 2.0

  27. Agenda • Introduction • Security Context Token • Establishing Security Context • Deriving Keys • SecureCoversation in Action • Conclusion • References

  28. Conclusion of WS-SecureConversation • The WS-SecureConversation specification defines extensions to allow security context establishment and sharing, and session key derivation.

  29. Agenda • Introduction • Security Context Token • Establishing Security Context • Deriving Keys • SecureCoversation in Action • Conclusion • References

  30. Primary References http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnglobspec/html/ws-secureconversation.asp Official specification describing WS-SecureConversation http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwse/html/wssecdrill.asp A good reference that explains how to use Web Services Enhancements 2.0 to implement security, trust, and secure conversations in Web services architecture.

  31. Secondary References http://www.microsoft.com/downloads/details.aspx?FamilyId=21FB9B9A-C5F6-4C95-87B7-FC7AB49B3EDD&displaylang=en The WSE 2.0 technology preview provides early access to new advanced Web services capabilities. http://msdn.microsoft.com/webservices/building/wse/default.aspx The latest advanced Web services capabilities to keep pace with the evolving Web services protocol specifications.

  32. Questions?

More Related